Three more nets cracked with SQL injections; gray-hat posts user data in public as a lesson to Sony

This time it was the e-commerce portion of Sony Ericsson's Canadian site; hackers took emails, passwords and phone numbers, but no credit cards.

Sony closed down the e-commerce section of the site (with a lame joke based on a years-old cliche and colloquialism from a country on the opposite side of the world from the one that hosts the most recently victimized site).

Ldahc – who describes himself as a Lebanese gray-hat hacker, claims to be responsible for the hack, which he accomplished with a SQL injection, and posted some of the data on pastebin.com, a site that offers programmers and anyone else free temporary storage of text data. (It also asks, in particular, that users "do not paste email lists, password lists or personal information." I think ldahc violated that policy as well as Sony's.

The Sony Canada hack came two days after the parent company estimated cost of the attacks would be $173 million – about 10 percent of the cost of the tsunami, earthquake and ongoing weather and power-related disaster recovery in Sony's native Japan.

The eScan blog listed details of the attacks, several of the vulnerable sites, and the damning conclusion that, ultimately, the reason so many Sony sites are so vulnerable is that no one person or group at Sony has been held accountable for corporate security.

While Sony has apologized to customers, it hasn't taken responsibility for the global weakness of its security – a point that, after the original high-profile attack and its many sequels, everyone who cares already understands, whether Sony admits it or not.

At this point, it hardly matters. Time to call it quits and start over from the beginning, Sony.